A flaw was reported in the Linux kernel, versions 2.6.9 to 2.6.17, when running on x86_64, where a user could use a regular 32bit process to trigger a kernel panic, without any special privileges. The bug occurs when a 32bit user process triggers a segfault (i.e. de-reference a null-pointer) after having performed a mprotect() to restrict any rwx access on its VDSO page.
In version 2.6.18 and on, the internal mechanism to access the VDSO uses the find_vma() wrapper which fixes the problem as a side-effect.
The reporter indicates that this only occurs on a 64bit machine with a program compiled in 32bit mode.
Acknowledgements:
Red Hat would like to thank STMicroelectronics for responsibly reporting this issue.